We collect information you provide directly to us. For example, we collect information when you register or log on to the Sites, create an account, subscribe to a Service, participate in any interactive features on our Services, fill out a form, take part in surveys, post on our message boards, upload any documentation, request customer support, make an enquiry, communicate with us by email, phone, or post, or interact with us on social media.

We will also collect your information when you partially complete and/or abandon any information inputted in the Sites, and we may use this information to contact you and remind you to complete any outstanding information.

Every computer connected to the internet is given a domain name and a set of numbers that serve as that computer’s internet protocol (“IP address”). When you use the Sites, our web servers automatically recognize your domain name and IP address. The domain name and IP address reveal nothing personal about you other than the IP address from which you have accessed the Sites. We are able to see information relating to your browsing patterns and technical data about the equipment you use to access the website through the use of cookies, server logs, and other similar technologies. You can select your preferences from the cookie settings on any of our websites.

We may also collect technical data from third parties or public sources such as analytics providers, identity verification providers, advertising networks, and search information providers. We may obtain contact, financial, and transaction data from providers of technical, payment, credit referencing, and delivery services based both inside and outside Nigeria. We utilise third-party service providers to secure information related to financial crime, fraud, sanctions, and politically exposed persons.

We do not own the personal data provided and will only store such data for a period reasonably needed. We will do our best to ensure that such personal data is secured against all foreseeable hazards and breaches such as theft, cyber-attacks, viral attacks, unauthorised dissemination, manipulation of any kind, or damage by rain, fire, or exposure to other natural elements.

We will not sell, share, transfer, or rent out any personal information to others in ways different from what is disclosed in this Policy and our Terms and Conditions of Use. We may share generic information not linked to any personally identifiable information regarding visitors and users with our business partners, trusted affiliates, and advertisers.

In order to provide you with access to the Services, or to provide you with better service in general, we may combine information obtained from other sources (for example, a third-party developer whose application you have authorised) and combine that with information we collect through the Sites.

The purpose of collecting your personal data is to give you an efficient, enjoyable, secure, and seamless customer experience.

We may use your personal data based on your consent for the following purposes:

• To respond to your enquiries and fulfil any of your requests for information;
• To process transactions and send notices about your transactions to requisite parties;
• To verify your identity;
• To resolve disputes and troubleshoot problems;
• To improve our services by implementing aggregate customer preferences;
• To manage and protect our information technology infrastructure;
• To monitor traffic patterns and usage of the Sites to help to improve the Sites' design and layout;
• To record and store communications made via phone, Skype, or the website chat function;
• To personalise your experience on our Sites or communications/advertising;
• To send you important information regarding the services and/or other technical notices, updates, security alerts, support, and administrative messages;
• To poll your opinions through surveys or questionnaires;
• As 1UBank believes to be necessary or appropriate:
• To comply with a legal obligation. This applies where the processing is necessary for 1UBank to comply with the law;
• To protect 1UBank’s legitimate interests, privacy, property or safety, and/or those of a third party as long as your rights do not override those interests;
• To protect your vital interests.

We may monitor and record our communications with you, including e-mails and phone conversations for training, quality assurance purposes, and to meet our legal and regulatory obligations in general.

Whenever we use your information for our legitimate interests, we will ensure that your information is processed on an anonymised basis and displayed at aggregated levels, which will not be linked back to you or to any living individual.

Your personal data is protected by legal rights enshrined in Data Protection Laws. These rights include the following:

• Right to be informed i.e. confirmation as to whether the data controller or a data processor operating on its behalf is storing or otherwise processing personal data relating to the data subject;
• Right to request a copy of the data subject’s personal data in a commonly used electronic format, except to the extent that providing such data would impose unreasonable costs on the data controller, in which case the data subject may be required by the controller to bear some or all of the costs;
• Right to have correction or, if correction is not feasible or suitable, deletion of the data subject’s personal data that is inaccurate, out of date, incomplete, or misleading;
• Right for erasure of personal data concerning the data subject, without undue delay;
• Right to withdraw, at any time, consent to the processing of personal data under the Nigeria Data Protection Act 2023;
• Right to object to the processing of personal data concerning the data subject;
• Right to object to any decisions based on the automated processing of your personal data, including profiling;
• Right to data portability;
• Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC).

Please note that if you request a copy of your personal data, you may be required to pay a fee if the requests are considered manifestly unfounded or excessive.

If you would like to exercise any of the above stated rights, please follow the procedures below:

• Put your request in writing and send it to us through your usual registered channel (e.g. by registered email) and specify the right you wish to exercise.
• You can also access the Data Subject Access Request (DSAR) portal on our website.

For more information or to exercise your data protection rights, please contact us via 4u@1ubank.com.

We will endeavour to process all subject access requests within thirty (30) days and if any further extension is required, we will communicate same through existing consented channels – at no cost. However, please note that you may continue to receive existing communications for a transitional period whilst we update your preferences.

We will not retain your personal data for longer than is necessary for the purposes for which such personal data is processed. This means that your personal data will only be retained for as long as it is still required to provide you with the Services or is necessary for legal reasons. When calculating the appropriate retention period of your personal data we consider the nature and sensitivity of the personal data, the purposes for which we are processing such personal data, and any applicable statutory/regulatory retention periods. Using these criteria, we regularly review the personal data that we hold and the purposes for which such is held and processed. Our Payment Card Industry Data Security Standard (“PCIDSS”) obligation means that we are obliged to retain personal data for a minimum of ten (10) years from the end date of our business relationship with you. When we determine that personal data can no longer be retained (or where you request that we delete your personal data in accordance with your rights contained in Data Protection Laws) we ensure that such personal data is securely deleted, anonymised or destroyed. Please see details of our data retention and disposal process below:

On at least a quarterly basis, we systematically remove and destroy all cardholder data that has exceeded its retention period, and review and ensure the remaining stored cardholder data remains within the formal retention requirements. Wherever the primary account number (“PAN”) is stored, whether electronically or on paper, it is masked. The first six and last four digits are the maximum number of digits that may be displayed. Certain members of the operations and Service delivery units have a legitimate business need when dealing with customer/cardholder enquiries to access the PAN. Wherever the PAN is stored (including in logs, removable media, etc.), it is made unreadable by means of one-way hashes. Cardholder data is never stored on removable media and when removable physical storage media (including documents, faxes, and electronic media) are no longer required (i.e. they have passed their retention periods), they are destroyed.

It is important that the personal data 1UBank holds about you is accurate and current. Please keep 1UBank informed if any aspect of your personal data changes at any time during your relationship with us. On our customer facing products, you can easily update your personal data yourself or alternatively contact via 4u@1ubank.com when you want to exercise your right of rectification.

In order to protect your personal data, we have put in place appropriate organisational and technical security measures. These measures include storing data on a dedicated and secure server with at least 256-bit encryption, restricting access to your personal data to certain employees, ensuring that our internal information technology systems are suitably secure, and implementing procedures to deal with any suspected data breach. In the unlikely event of a data breach, 1UBank will take steps to mitigate any loss or destruction of data and, if appropriate, will notify you and any applicable authority of such a breach. We will keep your information secure by taking appropriate technical and organisational measures against its unauthorised or unlawful processing and against its accidental loss, destruction or damage. We will do our best to protect your personal data, but we cannot guarantee the security of your personal data which is transmitted to other websites via an internet or similar connection. If we have given you (or you have chosen) a password to access certain areas of the Sites please keep this password safe, we will not share this password with anyone. As a user of the Services, you understand and agree that you assume all responsibility and risk attached to safeguarding your account with us. You shall at no time whatsoever disclose your password to anyone, nor shall you allow anyone make use of your account.

Due to the fact that we operate in a regulated environment, we cannot ensure that all your private communications and other personally identifiable information will never be disclosed in ways not otherwise described in this Policy. By way of example (without limiting the foregoing), we may be required to disclose information to the government, regulatory bodies, law enforcement agencies, and third parties for the performance of a task carried out in the interest of the public interest. We may need to pass your information to third party service providers which maintain, administer or develop the Sites on our behalf and the information will only be provided for such limited purposes and as detailed below. Additionally, we may provide aggregate statistics about our customers, sales, traffic patterns and related website information to reputable third-parties, but these statistics will include no personally identifiable information. 1UBank may transfer your personal data to third parties (“Third Party Providers”) of the following types: • companies providing identity or financial validation services; • financial product providers; • payment services companies acting on your, or our behalf; • banks; • companies providing analytics services; • data, service and software providers; • Regulatory and law enforcement bodies. A few of our identity verification Third Party Providers collect your personal data via our Sites through the use of Smile Identity (SmileID) Application Programming Interface. As a result of the integration of our Sites with such Third Party Providers, our Sites make use of automatically collected information using the device camera on your device and the SmileID API. The use of your personal data collected as a result of this is to track your facial features and facial expressions. In doing this, we use this data to ensure that the picture (selfie) being taken is of a live user for authentication and fraud reduction purposes. None of the information collected by the SmileID API ever leaves your device nor is it persistently stored on the device. We will do our reasonable best to ensure personal data provided by you to us and shared with a Third Party Provider is done in accordance with the provisions of Data Protection Laws. We will also reasonably ensure that such Third Party Providers with whom we share your personal data will ensure the security of the same as provided by this Policy and in accordance with Data Protection Laws.

Cookies are small text files stored on your device when you visit a website. These files contain information that helps enhance your browsing experience by remembering your preferences, enabling functionalities, and providing personalised services.

The types of cookies we use are:

• Necessary Cookies: These are essential for the website to function properly and cannot be disabled.
• Performance and Analytics Cookies: These cookies help us analyse site performance and improve its functionality.
• Advertising and Targeting Cookies: These cookies are used to deliver relevant advertisements to you.

We use cookies for various purposes, including:

• Personalisation: To provide tailored content and advertisements based on your preferences.
• Security: To ensure safe and secure access to our website.
• Analytics: To collect data about website traffic and user behaviour for continuous improvement.
• Functionality: To remember your preferences and provide a seamless user experience.

You have the option to manage your cookie preferences. Most web browsers allow you to control cookies through their settings. You can:

• Enable or disable the cookies.
• Delete cookies stored on your device.
• Adjust browser settings to notify you before accepting cookies.

We are constantly trying to improve our Sites and services, so we may need to change this Policy from time to time as well. We will alert you of material changes by, for example, placing a notice on our websites and/or by sending you an email (if you have registered your e-mail details with us) when we are required to do so by applicable law. We reserve the right to update this Policy as we deem fit, from time to time, without any intimation to you and your continued use of the Sites will signify your acceptance of any amendment to these terms. Our updated terms will also be displayed on our website (https://1ubank.com). It is your responsibility to check this Privacy Policy from time to time to verify such updates. If you believe at any time that we have not handled your personal data in accordance with this Policy, please contact us. If you have any questions, comments and requests regarding your privacy and rights, please let us know how we can help. Last Updated: 25th April, 2025